Roll AFL 2.31b:2.38b and switch coverage to use trace-pc-guard.

third_party/afl/src/afl-tmin.c

 /*
    american fuzzy lop - test case minimizer
    ----------------------------------------
 
    Written and maintained by Michal Zalewski <lcamtuf@google.com>
 
    Copyright 2015, 2016 Google Inc. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ skipping 28 matching lines @@
 
 #include <sys/wait.h>
 #include <sys/time.h>
 #include <sys/shm.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/resource.h>
 
 static s32 child_pid;                 /* PID of the tested program         */
 
-static u8* trace_bits;                /* SHM with instrumentation bitmap   */
+static u8 *trace_bits,                /* SHM with instrumentation bitmap   */
+          *mask_bitmap;               /* Mask for trace bits (-B)          */
 
 static u8 *in_file,                   /* Minimizer input test case         */
           *out_file,                  /* Minimizer output file             */
           *prog_in,                   /* Targeted program input file       */
           *target_path,               /* Path to target binary             */
           *doc_path;                  /* Path to docs                      */
 
 static u8* in_data;                   /* Input data for trimming           */
 
 static u32 in_len,                    /* Input data length                 */
@@ skipping 51 matching lines @@
     while (i--) {
       *mem = count_class_lookup[*mem];
       mem++;
     }
 
   }
 
 }
 
 
+/* Apply mask to classified bitmap (if set). */
+
+static void apply_mask(u32* mem, u32* mask) {
+
+  u32 i = (MAP_SIZE >> 2);
+
+  if (!mask) return;
+
+  while (i--) {
+
+    *mem &= ~*mask;
+    mem++;
+    mask++;
+
+  }
+
+}
+
+
 /* See if any bytes are set in the bitmap. */
 
 static inline u8 anything_set(void) {
 
   u32* ptr = (u32*)trace_bits;
   u32  i   = (MAP_SIZE >> 2);
 
   while (i--) if (*(ptr++)) return 1;
 
   return 0;
@@ skipping 176 matching lines @@
   setitimer(ITIMER_REAL, &it, NULL);
 
   MEM_BARRIER();
 
   /* Clean up bitmap, analyze exit condition, etc. */
 
   if (*(u32*)trace_bits == EXEC_FAIL_SIG)
     FATAL("Unable to execute '%s'", argv[0]);
 
   classify_counts(trace_bits);
+  apply_mask((u32*)trace_bits, (u32*)mask_bitmap);
   total_execs++;
 
   if (stop_soon) {
     SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST);
     exit(1);
   }
 
   /* Always discard inputs that time out. */
 
   if (child_timed_out) {
@@ skipping 585 matching lines @@
     target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace";
     return new_argv;
 
   }
 
   FATAL("Unable to find 'afl-qemu-trace'.");
 
 }
 
 
+/* Read mask bitmap from file. This is for the -B option. */
+
+static void read_bitmap(u8* fname) {
+
+  s32 fd = open(fname, O_RDONLY);
+
+  if (fd < 0) PFATAL("Unable to open '%s'", fname);
+
+  ck_read(fd, mask_bitmap, MAP_SIZE, fname);
+
+  close(fd);
+
+}
+
+
+
 /* Main entry point */
 
 int main(int argc, char** argv) {
 
   s32 opt;
   u8  mem_limit_given = 0, timeout_given = 0, qemu_mode = 0;
   char** use_argv;
 
   doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
 
   SAYF(cCYA "afl-tmin " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
 
-  while ((opt = getopt(argc,argv,"+i:o:f:m:t:xeQ")) > 0)
+  while ((opt = getopt(argc,argv,"+i:o:f:m:t:B:xeQ")) > 0)
 
     switch (opt) {
 
       case 'i':
 
         if (in_file) FATAL("Multiple -i options not supported");
         in_file = optarg;
         break;
 
       case 'o':
@@ skipping 71 matching lines @@
         break;
 
       case 'Q':
 
         if (qemu_mode) FATAL("Multiple -Q options not supported");
         if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU;
 
         qemu_mode = 1;
         break;
 
+      case 'B': /* load bitmap */
+
+        /* This is a secret undocumented option! It is speculated to be useful
+           if you have a baseline "boring" input file and another "interesting"
+           file you want to minimize.
+
+           You can dump a binary bitmap for the boring file using
+           afl-showmap -b, and then load it into afl-tmin via -B. The minimizer
+           will then minimize to preserve only the edges that are unique to
+           the interesting input file, but ignoring everything from the
+           original map.
+
+           The option may be extended and made more official if it proves
+           to be useful. */
+
+        if (mask_bitmap) FATAL("Multiple -B options not supported");
+        mask_bitmap = ck_alloc(MAP_SIZE);
+        read_bitmap(optarg);
+        break;
+
       default:
 
         usage(argv[0]);
 
     }
 
   if (optind == argc || !in_file || !out_file) usage(argv[0]);
 
   setup_shm();
   setup_signal_handlers();
@@ skipping 39 matching lines @@
   ACTF("Writing output to '%s'...", out_file);
 
   close(write_to_file(out_file, in_data, in_len));
 
   OKF("We're done here. Have a nice day!\n");
 
   exit(0);
 
 }